Thanks! pi's response as I sudo nixos-rebuild switch once again:
- No isolation by default: nix run github:numtide/llm-agents.nix
#codex etc. runs the agent as your user.
- Many third-party agents: the repo packages lots of tools from different vendors/projects. Each has its own telemetry, auth, update, and file-access behavior.
- Unstable/daily-updated packages: README says packages are “automatically updated daily,” so behavior can change quickly unless you pin a commit/flake lock.
- Binary/cache trust: the flake adds
https://cache.numtide.com as an extra substituter. Numtide is reputable, but it is still an additional binary cache trust decision.
- Unfree allowed: flake sets nixpkgs.config.allowUnfree = true; some packaged tools may be proprietary/opaque.
- Credential exposure: agents may read .env, shell env vars, cloud tokens, SSH keys, git remotes, browser auth, etc.
- Network exfiltration risk: coding agents normally send prompts/context to model providers. Repo contents or secrets can leak if the tool includes them.
- Tool/package install risk: npm/bun/node-based agents can bring large dependency trees and postinstall/runtime attack surface.
- Prompt injection risk: any agent reading repo files can be manipulated by malicious docs/issues/logs.
Safer way to use it:
```bash
# Pin it, don’t float on main
nix flake lock --update-input llm-agents-nix
```
Use it only inside:
- a dedicated Unix user,
- container/VM,
- restricted workspace,
- no inherited secrets,
- project-local config/cache,
- explicit allowlist of mounted directories.
For your setup, I would not replace the current controlled flake.nix with this wholesale. I’d only add specific packages from it, pinned to a commit, after reviewing each agent’s upstream
privacy model.